actionpack 4.2.11.1 → 5.2.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionpack might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +328 -458
- data/MIT-LICENSE +1 -1
- data/README.rdoc +6 -7
- data/lib/abstract_controller/asset_paths.rb +2 -0
- data/lib/abstract_controller/base.rb +45 -49
- data/lib/{action_controller → abstract_controller}/caching/fragments.rb +78 -15
- data/lib/abstract_controller/caching.rb +66 -0
- data/lib/abstract_controller/callbacks.rb +47 -31
- data/lib/abstract_controller/collector.rb +8 -11
- data/lib/abstract_controller/error.rb +6 -0
- data/lib/abstract_controller/helpers.rb +25 -25
- data/lib/abstract_controller/logger.rb +2 -0
- data/lib/abstract_controller/railties/routes_helpers.rb +4 -2
- data/lib/abstract_controller/rendering.rb +42 -41
- data/lib/abstract_controller/translation.rb +10 -7
- data/lib/abstract_controller/url_for.rb +2 -0
- data/lib/abstract_controller.rb +12 -5
- data/lib/action_controller/api/api_rendering.rb +16 -0
- data/lib/action_controller/api.rb +149 -0
- data/lib/action_controller/base.rb +27 -19
- data/lib/action_controller/caching.rb +14 -57
- data/lib/action_controller/form_builder.rb +50 -0
- data/lib/action_controller/log_subscriber.rb +10 -15
- data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
- data/lib/action_controller/metal/conditional_get.rb +118 -44
- data/lib/action_controller/metal/content_security_policy.rb +52 -0
- data/lib/action_controller/metal/cookies.rb +3 -3
- data/lib/action_controller/metal/data_streaming.rb +27 -46
- data/lib/action_controller/metal/etag_with_flash.rb +18 -0
- data/lib/action_controller/metal/etag_with_template_digest.rb +20 -13
- data/lib/action_controller/metal/exceptions.rb +8 -14
- data/lib/action_controller/metal/flash.rb +4 -3
- data/lib/action_controller/metal/force_ssl.rb +23 -21
- data/lib/action_controller/metal/head.rb +21 -19
- data/lib/action_controller/metal/helpers.rb +24 -14
- data/lib/action_controller/metal/http_authentication.rb +65 -58
- data/lib/action_controller/metal/implicit_render.rb +62 -8
- data/lib/action_controller/metal/instrumentation.rb +19 -21
- data/lib/action_controller/metal/live.rb +90 -106
- data/lib/action_controller/metal/mime_responds.rb +33 -46
- data/lib/action_controller/metal/parameter_encoding.rb +51 -0
- data/lib/action_controller/metal/params_wrapper.rb +61 -53
- data/lib/action_controller/metal/redirecting.rb +49 -28
- data/lib/action_controller/metal/renderers.rb +87 -44
- data/lib/action_controller/metal/rendering.rb +72 -50
- data/lib/action_controller/metal/request_forgery_protection.rb +284 -97
- data/lib/action_controller/metal/rescue.rb +9 -16
- data/lib/action_controller/metal/streaming.rb +12 -10
- data/lib/action_controller/metal/strong_parameters.rb +583 -164
- data/lib/action_controller/metal/testing.rb +2 -17
- data/lib/action_controller/metal/url_for.rb +19 -10
- data/lib/action_controller/metal.rb +98 -83
- data/lib/action_controller/railtie.rb +28 -10
- data/lib/action_controller/railties/helpers.rb +2 -0
- data/lib/action_controller/renderer.rb +117 -0
- data/lib/action_controller/template_assertions.rb +11 -0
- data/lib/action_controller/test_case.rb +282 -413
- data/lib/action_controller.rb +29 -21
- data/lib/action_dispatch/http/cache.rb +93 -47
- data/lib/action_dispatch/http/content_security_policy.rb +272 -0
- data/lib/action_dispatch/http/filter_parameters.rb +26 -20
- data/lib/action_dispatch/http/filter_redirect.rb +10 -11
- data/lib/action_dispatch/http/headers.rb +55 -22
- data/lib/action_dispatch/http/mime_negotiation.rb +56 -41
- data/lib/action_dispatch/http/mime_type.rb +134 -121
- data/lib/action_dispatch/http/mime_types.rb +20 -6
- data/lib/action_dispatch/http/parameter_filter.rb +25 -11
- data/lib/action_dispatch/http/parameters.rb +98 -39
- data/lib/action_dispatch/http/rack_cache.rb +2 -0
- data/lib/action_dispatch/http/request.rb +200 -118
- data/lib/action_dispatch/http/response.rb +225 -110
- data/lib/action_dispatch/http/upload.rb +12 -6
- data/lib/action_dispatch/http/url.rb +110 -28
- data/lib/action_dispatch/journey/formatter.rb +55 -32
- data/lib/action_dispatch/journey/gtg/builder.rb +7 -5
- data/lib/action_dispatch/journey/gtg/simulator.rb +3 -9
- data/lib/action_dispatch/journey/gtg/transition_table.rb +17 -16
- data/lib/action_dispatch/journey/nfa/builder.rb +5 -3
- data/lib/action_dispatch/journey/nfa/dot.rb +13 -13
- data/lib/action_dispatch/journey/nfa/simulator.rb +3 -1
- data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -48
- data/lib/action_dispatch/journey/nodes/node.rb +18 -6
- data/lib/action_dispatch/journey/parser.rb +23 -22
- data/lib/action_dispatch/journey/parser.y +3 -2
- data/lib/action_dispatch/journey/parser_extras.rb +12 -4
- data/lib/action_dispatch/journey/path/pattern.rb +50 -44
- data/lib/action_dispatch/journey/route.rb +106 -28
- data/lib/action_dispatch/journey/router/utils.rb +20 -11
- data/lib/action_dispatch/journey/router.rb +35 -23
- data/lib/action_dispatch/journey/routes.rb +18 -16
- data/lib/action_dispatch/journey/scanner.rb +18 -15
- data/lib/action_dispatch/journey/visitors.rb +99 -52
- data/lib/action_dispatch/journey.rb +7 -5
- data/lib/action_dispatch/middleware/callbacks.rb +1 -2
- data/lib/action_dispatch/middleware/cookies.rb +304 -193
- data/lib/action_dispatch/middleware/debug_exceptions.rb +152 -57
- data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
- data/lib/action_dispatch/middleware/exception_wrapper.rb +68 -69
- data/lib/action_dispatch/middleware/executor.rb +21 -0
- data/lib/action_dispatch/middleware/flash.rb +78 -54
- data/lib/action_dispatch/middleware/public_exceptions.rb +27 -25
- data/lib/action_dispatch/middleware/reloader.rb +5 -91
- data/lib/action_dispatch/middleware/remote_ip.rb +41 -31
- data/lib/action_dispatch/middleware/request_id.rb +17 -9
- data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -25
- data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
- data/lib/action_dispatch/middleware/session/cookie_store.rb +72 -67
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
- data/lib/action_dispatch/middleware/show_exceptions.rb +26 -22
- data/lib/action_dispatch/middleware/ssl.rb +114 -36
- data/lib/action_dispatch/middleware/stack.rb +31 -44
- data/lib/action_dispatch/middleware/static.rb +57 -50
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +2 -14
- data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +0 -0
- data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +13 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +1 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +1 -1
- data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
- data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
- data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +64 -64
- data/lib/action_dispatch/railtie.rb +19 -11
- data/lib/action_dispatch/request/session.rb +106 -59
- data/lib/action_dispatch/request/utils.rb +67 -24
- data/lib/action_dispatch/routing/endpoint.rb +9 -2
- data/lib/action_dispatch/routing/inspector.rb +58 -67
- data/lib/action_dispatch/routing/mapper.rb +733 -447
- data/lib/action_dispatch/routing/polymorphic_routes.rb +166 -140
- data/lib/action_dispatch/routing/redirection.rb +36 -26
- data/lib/action_dispatch/routing/route_set.rb +321 -291
- data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
- data/lib/action_dispatch/routing/url_for.rb +65 -25
- data/lib/action_dispatch/routing.rb +17 -18
- data/lib/action_dispatch/system_test_case.rb +147 -0
- data/lib/action_dispatch/system_testing/browser.rb +49 -0
- data/lib/action_dispatch/system_testing/driver.rb +59 -0
- data/lib/action_dispatch/system_testing/server.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +96 -0
- data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +31 -0
- data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +26 -0
- data/lib/action_dispatch/testing/assertion_response.rb +47 -0
- data/lib/action_dispatch/testing/assertions/response.rb +45 -20
- data/lib/action_dispatch/testing/assertions/routing.rb +30 -26
- data/lib/action_dispatch/testing/assertions.rb +6 -4
- data/lib/action_dispatch/testing/integration.rb +348 -209
- data/lib/action_dispatch/testing/request_encoder.rb +55 -0
- data/lib/action_dispatch/testing/test_process.rb +28 -22
- data/lib/action_dispatch/testing/test_request.rb +27 -34
- data/lib/action_dispatch/testing/test_response.rb +35 -7
- data/lib/action_dispatch.rb +27 -19
- data/lib/action_pack/gem_version.rb +5 -3
- data/lib/action_pack/version.rb +3 -1
- data/lib/action_pack.rb +4 -2
- metadata +56 -38
- data/lib/action_controller/metal/hide_actions.rb +0 -40
- data/lib/action_controller/metal/rack_delegation.rb +0 -32
- data/lib/action_controller/middleware.rb +0 -39
- data/lib/action_controller/model_naming.rb +0 -12
- data/lib/action_dispatch/journey/backwards.rb +0 -5
- data/lib/action_dispatch/journey/router/strexp.rb +0 -27
- data/lib/action_dispatch/middleware/params_parser.rb +0 -60
- data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
- data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
- data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
data/CHANGELOG.md
CHANGED
@@ -1,680 +1,550 @@
|
|
1
|
-
## Rails
|
1
|
+
## Rails 5.2.6 (May 05, 2021) ##
|
2
2
|
|
3
|
-
*
|
4
|
-
|
5
|
-
|
6
|
-
## Rails 4.2.11 (November 27, 2018) ##
|
7
|
-
|
8
|
-
* No changes.
|
9
|
-
|
10
|
-
|
11
|
-
## Rails 4.2.10 (September 27, 2017) ##
|
12
|
-
|
13
|
-
* Fix regression in behavior of `normalize_path`.
|
14
|
-
|
15
|
-
In Rails 5 there was a change to ensure the encoding of the original string
|
16
|
-
in a path was maintained. This was incorrectly backported to Rails 4.2 which
|
17
|
-
caused a regression.
|
18
|
-
|
19
|
-
*Eileen M. Uchitelle*
|
3
|
+
* Accept base64_urlsafe CSRF tokens to make forward compatible.
|
20
4
|
|
21
|
-
|
5
|
+
Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
|
6
|
+
them difficult to deal with. For example, the common practice of sending
|
7
|
+
the CSRF token to a browser in a client-readable cookie does not work properly
|
8
|
+
out of the box: the value has to be url-encoded and decoded to survive transport.
|
22
9
|
|
23
|
-
|
10
|
+
In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
|
11
|
+
safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
|
12
|
+
tokens for backwards compatibility.
|
24
13
|
|
25
|
-
|
26
|
-
|
14
|
+
How the tokes are encoded is controllr by the `action_controller.urlsafe_csrf_tokens`
|
15
|
+
config.
|
27
16
|
|
28
|
-
|
29
|
-
resources :formats do
|
30
|
-
resources :items
|
31
|
-
end
|
32
|
-
```
|
17
|
+
In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.
|
33
18
|
|
34
|
-
|
35
|
-
`
|
36
|
-
|
19
|
+
**Atention**: If you already upgraded your application to 5.2.5, set the config
|
20
|
+
`urlsafe_csrf_tokens` to `true`, otherwise your form submission will start to fail
|
21
|
+
during the deploy of this new version.
|
37
22
|
|
38
|
-
```
|
39
|
-
|
23
|
+
```ruby
|
24
|
+
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
|
40
25
|
```
|
41
26
|
|
42
|
-
|
43
|
-
route doesn't support a format but we have a test for it so we need to allow it.
|
44
|
-
|
45
|
-
Fixes #28517.
|
46
|
-
|
47
|
-
*Andrew White*
|
48
|
-
|
27
|
+
If you are upgrading from 5.2.4.x, you don't need to change this configuration.
|
49
28
|
|
50
|
-
|
29
|
+
*Scott Blum*, *Étienne Barrié*
|
51
30
|
|
52
|
-
* No changes.
|
53
31
|
|
54
|
-
|
55
|
-
## Rails 4.2.7 (July 12, 2016) ##
|
32
|
+
## Rails 5.2.5 (March 26, 2021) ##
|
56
33
|
|
57
34
|
* No changes.
|
58
35
|
|
59
36
|
|
60
|
-
## Rails
|
61
|
-
|
62
|
-
* No changes.
|
63
|
-
|
37
|
+
## Rails 5.2.4.6 (May 05, 2021) ##
|
64
38
|
|
65
|
-
|
39
|
+
* Prevent regex DoS in HTTP token authentication
|
40
|
+
CVE-2021-22904
|
66
41
|
|
67
|
-
*
|
42
|
+
* Prevent string polymorphic route arguments.
|
68
43
|
|
69
|
-
|
44
|
+
`url_for` supports building polymorphic URLs via an array
|
45
|
+
of arguments (usually symbols and records). If a developer passes a
|
46
|
+
user input array, strings can result in unwanted route helper calls.
|
70
47
|
|
71
|
-
|
48
|
+
CVE-2021-22885
|
72
49
|
|
50
|
+
*Gannon McGibbon*
|
73
51
|
|
74
|
-
## Rails
|
52
|
+
## Rails 5.2.4.5 (February 10, 2021) ##
|
75
53
|
|
76
54
|
* No changes.
|
77
55
|
|
78
56
|
|
79
|
-
## Rails
|
80
|
-
|
81
|
-
* `ActionController::TestCase` can teardown gracefully if an error is raised
|
82
|
-
early in the `setup` chain.
|
83
|
-
|
84
|
-
*Yves Senn*
|
85
|
-
|
86
|
-
* Parse RSS/ATOM responses as XML, not HTML.
|
87
|
-
|
88
|
-
*Alexander Kaupanin*
|
89
|
-
|
90
|
-
* Fix regression in mounted engine named routes generation for app deployed to
|
91
|
-
a subdirectory. `relative_url_root` was prepended to the path twice (e.g.
|
92
|
-
"/subdir/subdir/engine_path" instead of "/subdir/engine_path")
|
93
|
-
|
94
|
-
Fixes #20920. Fixes #21459.
|
95
|
-
|
96
|
-
*Matthew Erhard*
|
97
|
-
|
98
|
-
* `url_for` does not modify its arguments when generating polymorphic URLs.
|
99
|
-
|
100
|
-
*Bernerd Schaefer*
|
101
|
-
|
102
|
-
* Update `ActionController::TestSession#fetch` to behave more like
|
103
|
-
`ActionDispatch::Request::Session#fetch` when using non-string keys.
|
104
|
-
|
105
|
-
*Jeremy Friesen*
|
106
|
-
|
107
|
-
|
108
|
-
## Rails 4.2.4 (August 24, 2015) ##
|
109
|
-
|
110
|
-
* ActionController::TestSession now accepts a default value as well as
|
111
|
-
a block for generating a default value based off the key provided.
|
112
|
-
|
113
|
-
This fixes calls to session#fetch in ApplicationController instances that
|
114
|
-
take more two arguments or a block from raising `ArgumentError: wrong
|
115
|
-
number of arguments (2 for 1)` when performing controller tests.
|
116
|
-
|
117
|
-
*Matthew Gerrior*
|
118
|
-
|
119
|
-
* Fix to keep original header instance in `ActionDispatch::SSL`
|
120
|
-
|
121
|
-
`ActionDispatch::SSL` changes headers to `Hash`.
|
122
|
-
So some headers will be broken if there are some middlewares
|
123
|
-
on `ActionDispatch::SSL` and if it uses `Rack::Utils::HeaderHash`.
|
124
|
-
|
125
|
-
*Fumiaki Matsushima*
|
126
|
-
|
127
|
-
|
128
|
-
## Rails 4.2.3 (June 25, 2015) ##
|
129
|
-
|
130
|
-
* Fix rake routes not showing the right format when
|
131
|
-
nesting multiple routes.
|
132
|
-
|
133
|
-
See #18373.
|
134
|
-
|
135
|
-
*Ravil Bayramgalin*
|
136
|
-
|
137
|
-
* Fix regression where a gzip file response would have a Content-type,
|
138
|
-
even when it was a 304 status code.
|
139
|
-
|
140
|
-
See #19271.
|
141
|
-
|
142
|
-
*Kohei Suzuki*
|
143
|
-
|
144
|
-
* Fix handling of empty X_FORWARDED_HOST header in raw_host_with_port
|
145
|
-
|
146
|
-
Previously, an empty X_FORWARDED_HOST header would cause
|
147
|
-
Actiondispatch::Http:URL.raw_host_with_port to return nil, causing
|
148
|
-
Actiondispatch::Http:URL.host to raise a NoMethodError.
|
149
|
-
|
150
|
-
*Adam Forsyth*
|
151
|
-
|
152
|
-
* Fallback to `ENV['RAILS_RELATIVE_URL_ROOT']` in `url_for`.
|
153
|
-
|
154
|
-
Fixed an issue where the `RAILS_RELATIVE_URL_ROOT` environment variable is not
|
155
|
-
prepended to the path when `url_for` is called. If `SCRIPT_NAME` (used by Rack)
|
156
|
-
is set, it takes precedence.
|
157
|
-
|
158
|
-
Fixes #5122.
|
159
|
-
|
160
|
-
*Yasyf Mohamedali*
|
161
|
-
|
162
|
-
* Fix regression in functional tests. Responses should have default headers
|
163
|
-
assigned.
|
164
|
-
|
165
|
-
See #18423.
|
166
|
-
|
167
|
-
*Jeremy Kemper*, *Yves Senn*
|
57
|
+
## Rails 5.2.4.4 (September 09, 2020) ##
|
168
58
|
|
59
|
+
* No changes.
|
169
60
|
|
170
|
-
## Rails 4.2.2 (June 16, 2015) ##
|
171
61
|
|
172
|
-
|
62
|
+
## Rails 5.2.4.3 (May 18, 2020) ##
|
173
63
|
|
64
|
+
* [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
|
174
65
|
|
175
|
-
|
66
|
+
* [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
|
176
67
|
|
177
|
-
* Non-string authenticity tokens do not raise NoMethodError when decoding
|
178
|
-
the masked token.
|
179
68
|
|
180
|
-
|
69
|
+
## Rails 5.2.4.2 (March 19, 2020) ##
|
181
70
|
|
182
|
-
*
|
71
|
+
* No changes.
|
183
72
|
|
184
|
-
Fixes an issue where a mounted rack app at root would intercept the HEAD
|
185
|
-
request causing an incorrect behavior during the fall back to GET requests.
|
186
73
|
|
187
|
-
|
188
|
-
```ruby
|
189
|
-
draw do
|
190
|
-
get '/home' => 'test#index'
|
191
|
-
mount rack_app, at: '/'
|
192
|
-
end
|
193
|
-
head '/home'
|
194
|
-
assert_response :success
|
195
|
-
```
|
196
|
-
In this case, a HEAD request runs through the routes the first time and fails
|
197
|
-
to match anything. Then, it runs through the list with the fallback and matches
|
198
|
-
`get '/home'`. The original behavior would match the rack app in the first pass.
|
74
|
+
## Rails 5.2.4.1 (December 18, 2019) ##
|
199
75
|
|
200
|
-
|
76
|
+
* Fix possible information leak / session hijacking vulnerability.
|
201
77
|
|
202
|
-
|
78
|
+
The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
|
79
|
+
gem dalli to be updated as well.
|
203
80
|
|
204
|
-
|
205
|
-
|
206
|
-
the
|
81
|
+
_Breaking changes:_
|
82
|
+
* `session.id` now returns an instance of `Rack::Session::SessionId` and not a String (use `session.id.public_id` to restore the old behaviour, see #38063)
|
83
|
+
* Accessing the session id using `session[:session_id]`/`session['session_id']` no longer works with
|
84
|
+
ruby 2.2 (see https://github.com/rails/rails/commit/2a52a38cb51b65d71cf91fc960777213cf96f962#commitcomment-37929811)
|
207
85
|
|
208
|
-
|
86
|
+
CVE-2019-16782.
|
209
87
|
|
210
|
-
*Tekin Suleyman*, *Dominic Baggott*
|
211
88
|
|
212
|
-
|
213
|
-
the test response.
|
89
|
+
## Rails 5.2.4 (November 27, 2019) ##
|
214
90
|
|
215
|
-
|
91
|
+
* No changes.
|
216
92
|
|
217
|
-
* Ensure `append_info_to_payload` is called even if an exception is raised.
|
218
93
|
|
219
|
-
|
220
|
-
payload data is not available.
|
94
|
+
## Rails 5.2.3 (March 27, 2019) ##
|
221
95
|
|
222
|
-
|
223
|
-
* #14903
|
224
|
-
* https://github.com/roidrage/lograge/issues/37
|
96
|
+
* Allow using `public` and `no-cache` together in the the Cache Control header.
|
225
97
|
|
226
|
-
|
98
|
+
Before this change, even if `public` was specified in the Cache Control header,
|
99
|
+
it was excluded when `no-cache` was included. This change preserves the
|
100
|
+
`public` value as is.
|
227
101
|
|
228
|
-
|
102
|
+
Fixes #34780.
|
229
103
|
|
230
|
-
*
|
104
|
+
*Yuji Yaginuma*
|
231
105
|
|
232
|
-
*
|
233
|
-
of returning a single space " ".
|
106
|
+
* Allow `nil` params for `ActionController::TestCase`.
|
234
107
|
|
235
|
-
|
236
|
-
version of Safari, where the HTTP headers are not returned correctly
|
237
|
-
if the response body has a 0-length. This is been fixed since and
|
238
|
-
the workaround is no longer necessary.
|
108
|
+
*Ryo Nakamura*
|
239
109
|
|
240
|
-
Fixes #18253.
|
241
110
|
|
242
|
-
|
111
|
+
## Rails 5.2.2.1 (March 11, 2019) ##
|
243
112
|
|
244
|
-
*
|
113
|
+
* No changes.
|
245
114
|
|
246
|
-
*Travis Grathwell*
|
247
115
|
|
248
|
-
|
116
|
+
## Rails 5.2.2 (December 04, 2018) ##
|
249
117
|
|
250
|
-
|
118
|
+
* Reset Capybara sessions if failed system test screenshot raising an exception.
|
251
119
|
|
252
|
-
|
120
|
+
Reset Capybara sessions if `take_failed_screenshot` raise exception
|
121
|
+
in system test `after_teardown`.
|
253
122
|
|
254
|
-
*
|
123
|
+
*Maxim Perepelitsa*
|
255
124
|
|
256
|
-
|
125
|
+
* Use request object for context if there's no controller
|
257
126
|
|
127
|
+
There is no controller instance when using a redirect route or a
|
128
|
+
mounted rack application so pass the request object as the context
|
129
|
+
when resolving dynamic CSP sources in this scenario.
|
258
130
|
|
259
|
-
|
131
|
+
Fixes #34200.
|
260
132
|
|
261
|
-
*
|
262
|
-
`Hash` representation of Parameters object. This is now a preferred way to
|
263
|
-
retrieve unfiltered parameters as we will stop inheriting `AC::Parameters`
|
264
|
-
object in Rails 5.0.
|
133
|
+
*Andrew White*
|
265
134
|
|
266
|
-
|
135
|
+
* Apply mapping to symbols returned from dynamic CSP sources
|
267
136
|
|
268
|
-
|
269
|
-
|
137
|
+
Previously if a dynamic source returned a symbol such as :self it
|
138
|
+
would be converted to a string implicity, e.g:
|
270
139
|
|
271
|
-
|
140
|
+
policy.default_src -> { :self }
|
272
141
|
|
273
|
-
|
142
|
+
would generate the header:
|
274
143
|
|
275
|
-
|
144
|
+
Content-Security-Policy: default-src self
|
276
145
|
|
277
|
-
|
278
|
-
Fixes #16958.
|
146
|
+
and now it generates:
|
279
147
|
|
280
|
-
|
148
|
+
Content-Security-Policy: default-src 'self'
|
281
149
|
|
282
|
-
*
|
150
|
+
*Andrew White*
|
283
151
|
|
284
|
-
|
285
|
-
be safely removed; otherwise, the corresponding `*_url` helper should be
|
286
|
-
used instead.
|
152
|
+
* Fix `rails routes -c` for controller name consists of multiple word.
|
287
153
|
|
288
|
-
|
154
|
+
*Yoshiyuki Kinjo*
|
289
155
|
|
290
|
-
|
156
|
+
* Call the `#redirect_to` block in controller context.
|
291
157
|
|
292
|
-
*
|
158
|
+
*Steven Peckins*
|
293
159
|
|
294
|
-
The scanner in Journey failed to recognize routes that use literals
|
295
|
-
from the sub-delims section of RFC 3986. It's now able to parse those
|
296
|
-
authorized delimiters and route as expected.
|
297
160
|
|
298
|
-
|
161
|
+
## Rails 5.2.1.1 (November 27, 2018) ##
|
299
162
|
|
300
|
-
|
163
|
+
* No changes.
|
301
164
|
|
302
|
-
* Deprecate implicit Array conversion for Response objects. It was added
|
303
|
-
(using `#to_ary`) so we could conveniently use implicit splatting:
|
304
165
|
|
305
|
-
|
166
|
+
## Rails 5.2.1 (August 07, 2018) ##
|
306
167
|
|
307
|
-
|
308
|
-
cascades down to the Rack body. Nonsense behavior. Instead, rely on
|
309
|
-
explicit conversion and splatting with `#to_a`:
|
168
|
+
* Prevent `?null=` being passed on JSON encoded test requests.
|
310
169
|
|
311
|
-
|
170
|
+
`RequestEncoder#encode_params` won't attempt to parse params if
|
171
|
+
there are none.
|
312
172
|
|
313
|
-
|
173
|
+
So call like this will no longer append a `?null=` query param.
|
314
174
|
|
315
|
-
|
175
|
+
get foos_url, as: :json
|
316
176
|
|
317
|
-
|
318
|
-
and fails for JRuby in 1.9 mode.
|
177
|
+
*Alireza Bashiri*
|
319
178
|
|
320
|
-
|
179
|
+
* Ensure `ActionController::Parameters#transform_values` and
|
180
|
+
`ActionController::Parameters#transform_values!` converts hashes into
|
181
|
+
parameters.
|
321
182
|
|
322
|
-
*
|
323
|
-
routes.
|
183
|
+
*Kevin Sjöberg*
|
324
184
|
|
325
|
-
|
185
|
+
* Fix strong parameters `permit!` with nested arrays.
|
326
186
|
|
327
|
-
|
187
|
+
Given:
|
188
|
+
```
|
189
|
+
params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
|
190
|
+
params.permit!
|
191
|
+
```
|
328
192
|
|
329
|
-
|
193
|
+
`params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
|
330
194
|
|
331
|
-
|
195
|
+
*Steve Hull*
|
332
196
|
|
333
|
-
|
334
|
-
|
197
|
+
* Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
|
198
|
+
`ActionController::TestCase` subclasses.
|
335
199
|
|
336
|
-
*
|
200
|
+
*Eugene Kenny*
|
337
201
|
|
338
|
-
*
|
202
|
+
* Output only one Content-Security-Policy nonce header value per request.
|
339
203
|
|
340
|
-
|
341
|
-
HEAD routes. If no match is found, we will then map the HEAD request to
|
342
|
-
GET routes.
|
204
|
+
Fixes #32597.
|
343
205
|
|
344
|
-
*
|
206
|
+
*Andrey Novikov*, *Andrew White*
|
345
207
|
|
346
|
-
*
|
347
|
-
of gzipped assets on disk. By default a gzip asset will be served if
|
348
|
-
the client supports gzip and a compressed file is on disk.
|
208
|
+
* Only disable GPUs for headless Chrome on Windows.
|
349
209
|
|
350
|
-
|
210
|
+
It is not necessary anymore for Linux and macOS machines.
|
351
211
|
|
352
|
-
|
353
|
-
`HashWithIndifferentAccess` in the next major release. If you use any method
|
354
|
-
that is not available on `ActionController::Parameters` you should consider
|
355
|
-
calling `#to_h` to convert it to a `Hash` first before calling that method.
|
212
|
+
https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
|
356
213
|
|
357
|
-
*
|
214
|
+
*Stefan Wrobel*
|
358
215
|
|
359
|
-
*
|
360
|
-
keys removed. This change is to reflect on a security concern where some
|
361
|
-
method performed on an `ActionController::Parameters` may yield a `Hash`
|
362
|
-
object which does not maintain `permitted?` status. If you would like to
|
363
|
-
get a `Hash` with all the keys intact, duplicate and mark it as permitted
|
364
|
-
before calling `#to_h`.
|
216
|
+
* Fix system tests transactions not closed between examples.
|
365
217
|
|
366
|
-
|
367
|
-
name: 'Senjougahara Hitagi',
|
368
|
-
oddity: 'Heavy stone crab'
|
369
|
-
})
|
370
|
-
params.to_h
|
371
|
-
# => {}
|
218
|
+
*Sergey Tarasov*
|
372
219
|
|
373
|
-
unsafe_params = params.dup.permit!
|
374
|
-
unsafe_params.to_h
|
375
|
-
# => {"name"=>"Senjougahara Hitagi", "oddity"=>"Heavy stone crab"}
|
376
220
|
|
377
|
-
|
378
|
-
safe_params.to_h
|
379
|
-
# => {"name"=>"Senjougahara Hitagi"}
|
221
|
+
## Rails 5.2.0 (April 09, 2018) ##
|
380
222
|
|
381
|
-
|
382
|
-
`ActionController::Parameters` to inherit from `HashWithIndifferentAccess`
|
383
|
-
in the next minor release.
|
223
|
+
* Check exclude before flagging cookies as secure.
|
384
224
|
|
385
|
-
*
|
225
|
+
*Catherine Khuu*
|
386
226
|
|
387
|
-
*
|
227
|
+
* Always yield a CSP policy instance from `content_security_policy`
|
388
228
|
|
389
|
-
|
229
|
+
This allows a controller action to enable the policy individually
|
230
|
+
for a controller and/or specific actions.
|
390
231
|
|
391
|
-
*
|
392
|
-
`:hybrid` serializer. This allows you to serialize custom Ruby objects into
|
393
|
-
cookies by defining the `#as_json` hook on such objects.
|
232
|
+
*Andrew White*
|
394
233
|
|
395
|
-
|
234
|
+
* Add the ability to disable the global CSP in a controller, e.g:
|
396
235
|
|
397
|
-
|
236
|
+
class LegacyPagesController < ApplicationController
|
237
|
+
content_security_policy false, only: :index
|
238
|
+
end
|
398
239
|
|
399
|
-
*
|
400
|
-
digest. The default remains the same - 'SHA1'.
|
240
|
+
*Andrew White*
|
401
241
|
|
402
|
-
|
242
|
+
* Add alias method `to_hash` to `to_h` for `cookies`.
|
243
|
+
Add alias method `to_h` to `to_hash` for `session`.
|
403
244
|
|
404
|
-
*
|
405
|
-
the `responders` gem.
|
245
|
+
*Igor Kasyanchuk*
|
406
246
|
|
407
|
-
|
247
|
+
* Update the default HSTS max-age value to 31536000 seconds (1 year)
|
248
|
+
to meet the minimum max-age requirement for https://hstspreload.org/.
|
408
249
|
|
409
|
-
*
|
250
|
+
*Grant Bourque*
|
410
251
|
|
411
|
-
|
412
|
-
When you call `fresh_when @post`, the digest for `posts/show.html.erb`
|
413
|
-
is mixed in so future changes to the HTML will blow HTTP caches for you.
|
414
|
-
This makes it easy to HTTP-cache many more of your actions.
|
252
|
+
* Add support for automatic nonce generation for Rails UJS.
|
415
253
|
|
416
|
-
|
417
|
-
|
254
|
+
Because the UJS library creates a script tag to process responses it
|
255
|
+
normally requires the script-src attribute of the content security
|
256
|
+
policy to include 'unsafe-inline'.
|
418
257
|
|
419
|
-
|
258
|
+
To work around this we generate a per-request nonce value that is
|
259
|
+
embedded in a meta tag in a similar fashion to how CSRF protection
|
260
|
+
embeds its token in a meta tag. The UJS library can then read the
|
261
|
+
nonce value and set it on the dynamically generated script tag to
|
262
|
+
enable it to execute without needing 'unsafe-inline' enabled.
|
420
263
|
|
421
|
-
|
264
|
+
Nonce generation isn't 100% safe - if your script tag is including
|
265
|
+
user generated content in someway then it may be possible to exploit
|
266
|
+
an XSS vulnerability which can take advantage of the nonce. It is
|
267
|
+
however an improvement on a blanket permission for inline scripts.
|
422
268
|
|
423
|
-
|
269
|
+
It is also possible to use the nonce within your own script tags by
|
270
|
+
using `nonce: true` to set the nonce value on the tag, e.g
|
424
271
|
|
425
|
-
|
272
|
+
<%= javascript_tag nonce: true do %>
|
273
|
+
alert('Hello, World!');
|
274
|
+
<% end %>
|
426
275
|
|
427
|
-
|
428
|
-
in favor of `AbstractController::Helpers::MissingHelperError`.
|
276
|
+
Fixes #31689.
|
429
277
|
|
430
|
-
*
|
278
|
+
*Andrew White*
|
431
279
|
|
432
|
-
*
|
280
|
+
* Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
|
433
281
|
|
434
|
-
|
282
|
+
Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
|
435
283
|
|
436
|
-
|
437
|
-
|
284
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
285
|
+
def index
|
286
|
+
params.each do |name|
|
287
|
+
puts name
|
288
|
+
end
|
289
|
+
end
|
438
290
|
|
439
|
-
|
291
|
+
# Prints
|
292
|
+
# param
|
293
|
+
# param_two
|
440
294
|
|
441
|
-
|
442
|
-
loopback address.
|
295
|
+
In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
|
443
296
|
|
444
|
-
|
297
|
+
To fix the code above simply change as per example below:
|
445
298
|
|
446
|
-
|
447
|
-
|
299
|
+
# Parameters: {"param"=>"1", "param_two"=>"2"}
|
300
|
+
def index
|
301
|
+
params.each do |name, value|
|
302
|
+
puts name
|
303
|
+
end
|
304
|
+
end
|
448
305
|
|
449
|
-
|
450
|
-
|
451
|
-
|
452
|
-
available to any custom exceptions_app. The original `PATH_INFO` is now
|
453
|
-
stashed in `env["action_dispatch.original_path"]`.
|
306
|
+
# Prints
|
307
|
+
# param
|
308
|
+
# param_two
|
454
309
|
|
455
|
-
*
|
310
|
+
*Dominic Cleal*
|
456
311
|
|
457
|
-
*
|
458
|
-
overflow.
|
312
|
+
* Add `Referrer-Policy` header to default headers set.
|
459
313
|
|
460
|
-
*
|
314
|
+
*Guillermo Iguaran*
|
461
315
|
|
462
|
-
*
|
463
|
-
|
316
|
+
* Changed the system tests to set Puma as default server only when the
|
317
|
+
user haven't specified manually another server.
|
464
318
|
|
465
|
-
|
466
|
-
Safari, where the HTTP headers are not returned correctly if the response
|
467
|
-
body has a 0-length. This is been fixed since and the workaround is no
|
468
|
-
longer necessary.
|
319
|
+
*Guillermo Iguaran*
|
469
320
|
|
470
|
-
|
321
|
+
* Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
|
322
|
+
default headers set.
|
471
323
|
|
472
|
-
|
324
|
+
*Guillermo Iguaran*
|
473
325
|
|
474
|
-
|
326
|
+
* Add headless firefox support to System Tests.
|
475
327
|
|
476
|
-
*
|
477
|
-
("Rosetta Flash").
|
328
|
+
*bogdanvlviv*
|
478
329
|
|
479
|
-
|
330
|
+
* Changed the default system test screenshot output from `inline` to `simple`.
|
480
331
|
|
481
|
-
|
482
|
-
the
|
483
|
-
|
484
|
-
|
332
|
+
`inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
|
333
|
+
Terminal.app ignore the `inline` and output the path to the file since it can't
|
334
|
+
render the image. Other terminals, like those on Ubuntu, cannot handle the image
|
335
|
+
inline, but also don't handle it gracefully and instead of outputting the file
|
336
|
+
path, it dumps binary into the terminal.
|
485
337
|
|
486
|
-
|
338
|
+
Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
|
487
339
|
|
488
|
-
*
|
340
|
+
*Eileen M. Uchitelle*
|
489
341
|
|
490
|
-
*
|
342
|
+
* Register most popular audio/video/font mime types supported by modern browsers.
|
491
343
|
|
492
|
-
|
344
|
+
*Guillermo Iguaran*
|
493
345
|
|
494
|
-
|
346
|
+
* Fix optimized url helpers when using relative url root.
|
495
347
|
|
496
|
-
|
497
|
-
when rendering through a `respond_to` block.
|
348
|
+
Fixes #31220.
|
498
349
|
|
499
|
-
|
350
|
+
*Andrew White*
|
500
351
|
|
501
|
-
|
352
|
+
* Add DSL for configuring Content-Security-Policy header.
|
502
353
|
|
503
|
-
|
504
|
-
|
505
|
-
|
354
|
+
The DSL allows you to configure a global Content-Security-Policy
|
355
|
+
header and then override within a controller. For more information
|
356
|
+
about the Content-Security-Policy header see MDN:
|
506
357
|
|
507
|
-
|
358
|
+
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
508
359
|
|
509
|
-
|
360
|
+
Example global policy:
|
510
361
|
|
511
|
-
|
362
|
+
# config/initializers/content_security_policy.rb
|
363
|
+
Rails.application.config.content_security_policy do |p|
|
364
|
+
p.default_src :self, :https
|
365
|
+
p.font_src :self, :https, :data
|
366
|
+
p.img_src :self, :https, :data
|
367
|
+
p.object_src :none
|
368
|
+
p.script_src :self, :https
|
369
|
+
p.style_src :self, :https, :unsafe_inline
|
370
|
+
end
|
512
371
|
|
513
|
-
|
372
|
+
Example controller overrides:
|
514
373
|
|
515
|
-
|
374
|
+
# Override policy inline
|
375
|
+
class PostsController < ApplicationController
|
376
|
+
content_security_policy do |p|
|
377
|
+
p.upgrade_insecure_requests true
|
378
|
+
end
|
379
|
+
end
|
516
380
|
|
517
|
-
|
381
|
+
# Using literal values
|
382
|
+
class PostsController < ApplicationController
|
383
|
+
content_security_policy do |p|
|
384
|
+
p.base_uri "https://www.example.com"
|
385
|
+
end
|
386
|
+
end
|
518
387
|
|
519
|
-
|
388
|
+
# Using mixed static and dynamic values
|
389
|
+
class PostsController < ApplicationController
|
390
|
+
content_security_policy do |p|
|
391
|
+
p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
|
392
|
+
end
|
393
|
+
end
|
520
394
|
|
521
|
-
|
522
|
-
|
395
|
+
Allows you to also only report content violations for migrating
|
396
|
+
legacy content using the `content_security_policy_report_only`
|
397
|
+
configuration attribute, e.g;
|
523
398
|
|
524
|
-
|
399
|
+
# config/initializers/content_security_policy.rb
|
400
|
+
Rails.application.config.content_security_policy_report_only = true
|
525
401
|
|
526
|
-
|
402
|
+
# controller override
|
403
|
+
class PostsController < ApplicationController
|
404
|
+
content_security_policy_report_only only: :index
|
405
|
+
end
|
527
406
|
|
528
|
-
|
529
|
-
|
407
|
+
Note that this feature does not validate the header for performance
|
408
|
+
reasons since the header is calculated at runtime.
|
530
409
|
|
531
|
-
*
|
410
|
+
*Andrew White*
|
532
411
|
|
533
|
-
*
|
534
|
-
application. Use of a symbol should be replaced with `action: symbol`.
|
535
|
-
Use of a string without a "#" should be replaced with `controller: string`.
|
412
|
+
* Make `assert_recognizes` to traverse mounted engines.
|
536
413
|
|
537
|
-
*
|
414
|
+
*Yuichiro Kaneko*
|
538
415
|
|
539
|
-
*
|
540
|
-
a trailing slash after `.:format`
|
416
|
+
* Remove deprecated `ActionController::ParamsParser::ParseError`.
|
541
417
|
|
542
|
-
*
|
418
|
+
*Rafael Mendonça França*
|
543
419
|
|
544
|
-
*
|
545
|
-
performance reasons. One consequence of this is that the leading slash
|
546
|
-
is now required in integration test `process` helpers, whereas previously
|
547
|
-
it could be omitted. The fact that this worked was a unintended consequence
|
548
|
-
of the implementation and was never an intentional feature.
|
420
|
+
* Add `:allow_other_host` option to `redirect_back` method.
|
549
421
|
|
550
|
-
|
422
|
+
When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
|
423
|
+
different host. `allow_other_host` is `true` by default.
|
551
424
|
|
552
|
-
*
|
553
|
-
called 'status' in a controller.
|
425
|
+
*Tim Masliuchenko*
|
554
426
|
|
555
|
-
|
427
|
+
* Add headless chrome support to System Tests.
|
556
428
|
|
557
|
-
*
|
429
|
+
*Yuji Yaginuma*
|
558
430
|
|
559
|
-
* Add
|
431
|
+
* Add ability to enable Early Hints for HTTP/2
|
560
432
|
|
561
|
-
|
433
|
+
If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
|
562
434
|
|
563
|
-
|
435
|
+
The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
|
564
436
|
|
565
|
-
|
566
|
-
for the `*_fragment.action_controller` notifications. This allows tracking
|
567
|
-
e.g. the fragment cache hit rates for each controller action.
|
437
|
+
*Eileen M. Uchitelle*, *Aaron Patterson*
|
568
438
|
|
569
|
-
|
439
|
+
* Simplify cookies middleware with key rotation support
|
570
440
|
|
571
|
-
|
441
|
+
Use the `rotate` method for both `MessageEncryptor` and
|
442
|
+
`MessageVerifier` to add key rotation support for encrypted and
|
443
|
+
signed cookies. This also helps simplify support for legacy cookie
|
444
|
+
security.
|
572
445
|
|
573
|
-
|
446
|
+
*Michael J Coyne*
|
574
447
|
|
575
|
-
|
448
|
+
* Use Capybara registered `:puma` server config.
|
576
449
|
|
577
|
-
|
578
|
-
and
|
450
|
+
The Capybara registered `:puma` server ensures the puma server is run in process so
|
451
|
+
connection sharing and open request detection work correctly by default.
|
579
452
|
|
580
|
-
|
453
|
+
*Thomas Walpole*
|
581
454
|
|
582
|
-
|
455
|
+
* Cookies `:expires` option supports `ActiveSupport::Duration` object.
|
583
456
|
|
584
|
-
|
585
|
-
|
586
|
-
silently fail to enforce the constraint. It will now raise an `ArgumentError`
|
587
|
-
when setting up the routes.
|
457
|
+
cookies[:user_name] = { value: "assain", expires: 1.hour }
|
458
|
+
cookies[:key] = { value: "a yummy cookie", expires: 6.months }
|
588
459
|
|
589
|
-
|
460
|
+
Pull Request: #30121
|
590
461
|
|
591
|
-
*
|
592
|
-
purposes of remote IP detection. Also handle uppercase private IPv6
|
593
|
-
addresses.
|
462
|
+
*Assain Jaleel*
|
594
463
|
|
595
|
-
|
464
|
+
* Enforce signed/encrypted cookie expiry server side.
|
596
465
|
|
597
|
-
|
466
|
+
Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
|
598
467
|
|
599
|
-
|
468
|
+
It does so by stashing the expiry within the written cookie and relying on the
|
469
|
+
signing/encrypting to vouch that it hasn't been tampered with. Then on a
|
470
|
+
server-side read, the expiry is verified and any expired cookie is discarded.
|
600
471
|
|
601
|
-
|
602
|
-
cookies are marshal-encoded. This is not the case when `secret_token` is
|
603
|
-
used in conjunction with the `:json` or `:hybrid` serializer.
|
472
|
+
Pull Request: #30121
|
604
473
|
|
605
|
-
|
606
|
-
`TypeError: incompatible marshal file format` and a 500 error for the user.
|
474
|
+
*Assain Jaleel*
|
607
475
|
|
608
|
-
|
476
|
+
* Make `take_failed_screenshot` work within engine.
|
609
477
|
|
610
|
-
|
478
|
+
Fixes #30405.
|
611
479
|
|
612
|
-
*
|
480
|
+
*Yuji Yaginuma*
|
613
481
|
|
614
|
-
|
615
|
-
2. Add an `escape_segment` helper to `Router::Utils` that escapes '/' characters
|
616
|
-
3. Use `escape_segment` rather than `escape_fragment` in optimized URL generation
|
617
|
-
4. Use `escape_segment` rather than `escape_path` in URL generation
|
482
|
+
* Deprecate `ActionDispatch::TestResponse` response aliases.
|
618
483
|
|
619
|
-
|
620
|
-
|
621
|
-
|
622
|
-
is used in the path then this uses `escape_path` as the controller may be namespaced.
|
484
|
+
`#success?`, `#missing?` & `#error?` are not supported by the actual
|
485
|
+
`ActionDispatch::Response` object and can produce false-positives. Instead,
|
486
|
+
use the response helpers provided by `Rack::Response`.
|
623
487
|
|
624
|
-
|
488
|
+
*Trevor Wistaff*
|
625
489
|
|
626
|
-
|
490
|
+
* Protect from forgery by default
|
627
491
|
|
628
|
-
|
629
|
-
`
|
492
|
+
Rather than protecting from forgery in the generated `ApplicationController`,
|
493
|
+
add it to `ActionController::Base` depending on
|
494
|
+
`config.action_controller.default_protect_from_forgery`. This configuration
|
495
|
+
defaults to false to support older versions which have removed it from their
|
496
|
+
`ApplicationController`, but is set to true for Rails 5.2.
|
630
497
|
|
631
|
-
*
|
498
|
+
*Lisa Ugray*
|
632
499
|
|
633
|
-
*
|
634
|
-
format block.
|
500
|
+
* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
|
635
501
|
|
636
|
-
|
502
|
+
*Kir Shatrov*
|
637
503
|
|
638
|
-
|
504
|
+
* `driven_by` now registers poltergeist and capybara-webkit.
|
639
505
|
|
640
|
-
|
506
|
+
If poltergeist or capybara-webkit are set as drivers is set for System Tests,
|
507
|
+
`driven_by` will register the driver and set additional options passed via
|
508
|
+
the `:options` parameter.
|
641
509
|
|
642
|
-
|
510
|
+
Refer to the respective driver's documentation to see what options can be passed.
|
643
511
|
|
644
|
-
*
|
512
|
+
*Mario Chavez*
|
645
513
|
|
646
|
-
|
514
|
+
* AEAD encrypted cookies and sessions with GCM.
|
647
515
|
|
648
|
-
|
516
|
+
Encrypted cookies now use AES-GCM which couples authentication and
|
517
|
+
encryption in one faster step and produces shorter ciphertexts. Cookies
|
518
|
+
encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
|
519
|
+
this new mode is enabled via the
|
520
|
+
`action_dispatch.use_authenticated_cookie_encryption` configuration value.
|
649
521
|
|
650
|
-
*
|
522
|
+
*Michael J Coyne*
|
651
523
|
|
652
|
-
|
524
|
+
* Change the cache key format for fragments to make it easier to debug key churn. The new format is:
|
653
525
|
|
654
|
-
|
655
|
-
|
526
|
+
views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
|
527
|
+
^template path ^template tree digest ^class ^id
|
656
528
|
|
657
|
-
|
529
|
+
*DHH*
|
658
530
|
|
659
|
-
|
531
|
+
* Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
|
532
|
+
`ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
|
533
|
+
to support it.
|
660
534
|
|
661
|
-
*
|
662
|
-
we need to check if we're not inside a nested scope before copying the :path
|
663
|
-
and :as options to their shallow equivalents.
|
535
|
+
*DHH*
|
664
536
|
|
665
|
-
|
537
|
+
* Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
|
666
538
|
|
667
|
-
|
539
|
+
`ActionController::Base` and `ActionController::API` have differing implementations. This means that
|
540
|
+
the one umbrella hook `action_controller` is not able to address certain situations where a method
|
541
|
+
may not exist in a certain implementation.
|
668
542
|
|
669
|
-
|
670
|
-
`log_warning_on_csrf_failure` configuration setting in
|
671
|
-
`ActionController::RequestForgeryProtection`.
|
543
|
+
This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
|
672
544
|
|
673
|
-
|
545
|
+
Fixes #27013.
|
674
546
|
|
675
|
-
*
|
676
|
-
`default_url_options` methods.
|
547
|
+
*Julian Nadeau*
|
677
548
|
|
678
|
-
*Tony Wooster*
|
679
549
|
|
680
|
-
Please check [
|
550
|
+
Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
|